Oauth2 OIDC should use id_token for user profile

[sanglt]

Our org want to use Oauth2 OIDC with Okta as an IdP. I tried the integration with Azure AD and it is working but not Okta.

After looking into the way RabbitMQ work, I can see the oidc client use access_token from the response https://github.com/rabbitmq/rabbitmq-server/blob/main/deps/rabbitmq_management/priv/www/js/oidc-oauth/oidc-client-ts.js#L2311

I think the reason for this is backward work with OAuth2 flow? In fact many of OIDC client use the ID Token for the user identity, and access_token is for call external API.

Okta case above use a difference keys signed for id_token (tenant own) and access_token (okta own). The jwt_keys endpoint is only return the tenant own key and I get the error: Authentication using an OAuth 2/JWT token failed: {error,key_not_found} when making a call to RabbitMQ Management /api/whoami endpoint.

[michaelklishin]

You make claims that RabbitMQ should do this or that without any justification.

@MarcialRosales do you have an opinion? Is this something that we have seen interest in elsewhere?

[sanglt]

Hi @michaelklishin sorry to not make it clear. My point is current the RabbitMQ OIDC workflow using Access Token not ID Token.

Per OpenID connect spec: https://openid.net/specs/openid-connect-basic-1_0.html#IDToken
Not all SSO IdP will return access_token as jwt (See the 2.1.6.2):

 HTTP/1.1 200 OK
  Content-Type: application/json
  Cache-Control: no-cache, no-store
  Pragma: no-cache

  {
   "access_token":"SlAV32hkKG",
   "token_type":"Bearer",
   "expires_in":3600,
   "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
   "id_token":"eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso"
  }

And per OpenID Connect spec (part 2.2), the ID token contains claims about the authentication of an end-user.

I think this picture from auth0 blog will make it more clear:

[MarcialRosales]

Hi @sanglt , as it is clearly explained in the diagram you attached, the id_token is used for authentication, i.e. to identify who the user is and gather extra information about the user's profile such as family name, etc. The access_token is used for authorization and it carries the most important claim which is scope. RabbitMq does not really care about who the user is, but what the user can do.
Okta must issue an access_token to any user who wants to access the management ui. The resource owner is RabbitMQ and the user must have the appropriate permissions, i.e. scopes, to access such resource. Which ultimately is an api if you prefer to look at it. Because almost every interaction with the management ui makes a http request on the RabbitMQ management rest api.

I am planning on adding OKTA idp to our RabbitMq Oauth2 tutorial repo. You are very welcomed to contribute a PR.

[sanglt]

This is what I debugged so far:

1. After user logged in from okta and redirect back to /js/oidc-oauth/login-callback.html, with the correct token
2. The js script will try to load the _processClaims (Eg preferred_username_claims setting) using access_token from the response (The response object have id_token and access_token). This will have an api called RabbitMQ management api and somehow call decode_and_verify, which will read the value from jwks_url and validate. The current failed step is https://github.com/rabbitmq/rabbitmq-server/blob/main/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl#L61 because the kid Okta use for access_token is not include from jwks_url.

So I think the failed step is before management can check the extra scopes. access_token should be good for this purpose.

I also contact the OKTA too, and this is their response:

....
However, the short answer is - When you mint a token using the Built In Org Auth Server. The access tokens are opaque i.e. they are not JWTs and cannot be validated locally using kid from the /keys endpoint. Instead you need to use the /introspect endpoint and Okta will validate the token for you

If you use a custom authorization server (this is a paid feature - API Access Management. Contact your Account Rep if you would like this feature), the access tokens minted will be JWTs and will have a kid that correspond to those at the /keys endpoint for you to validate.

[MarcialRosales]

What Okta refers to as custom authorization server is what the other idps support out of the box.

However, there is an alternative. You can configure RabbitMQ with the signing key via configuration. And you can add new signing keys, in case you rotate them, dynamically via rabbitmctl. Please, check the RabbitMQ OAuth2 tutorial section on how to use multiple signing keys.

[sanglt]

Thanks @MarcialRosales

From RabbitMQ document:
Note: if both are configured, jwks_url takes precedence over signing_keys.

I will try to get the public value of the key that Okta signed for access_token and try again. From my developer portal, I can only have the key that signed for id_token.

[kfalconer]

@sanglt Were you able to get the public key value for the access_token? I am having the same exact issue working with Okta.

[sanglt]

@kfalconer no I don't have a way to get the public key value for access_token. Okta require us to paid extra (API Access Management) for using same signed key for both access_token and id_token. I end up with using Azure AD as an IdP for OIDC.